Current State of Kloak?

Patrick · November 16, 2024, 8:39pm

A slightly more sophisticated Makefile

Whonix:master ← Fat-Zer:better-makefile

opened 07:41PM - 15 Nov 24 UTC

- support for override of the compiler and utils - support for append/override …CFLAGS - a target to update man pages - install target - better handling of conditional flags, particularly: - disable some warnings on non-gcc compilers - handle GNU's tuples like `x86-64-pc-linux-gnu` and `aarch-unknowv-linux-gnu` - organize CFLAGS by sorting them into categories This pull request changes... ## Changes ## Mandatory Checklist - [X] Legal agreements accepted. By contributing to this organisation, you acknowledge you have read, understood, and agree to be bound by these these agreements: [Terms of Service](https://www.whonix.org/wiki/Terms_of_Service), [Privacy Policy](https://www.whonix.org/wiki/Privacy_Policy), [Cookie Policy](https://www.whonix.org/wiki/Cookie_Policy), [E-Sign Consent](https://www.whonix.org/wiki/E-Sign_Consent), [DMCA](https://www.whonix.org/wiki/DMCA), [Imprint](https://www.whonix.org/wiki/Imprint) ## Optional Checklist The following items are optional but might be requested in certain cases. - [X] I have tested it locally - [ ] I have reviewed and updated any documentation if relevant - [ ] I am providing new code and test(s) for it Fixes #

Mycobee · November 17, 2024, 4:50pm

@Patrick is this code stable and maintainable as it currently exists?

i.e. do we see us having the resources to maintain it for the longhaul?

Patrick · November 18, 2024, 11:07am

Yes.

Patrick · November 18, 2024, 12:25pm

Patrick · November 19, 2024, 7:06pm

Signing releases · Issue #7 · Whonix/kloak · GitHub

Patrick · February 14, 2025, 2:24pm

In context of kloak-alike functionality inside Qubes:

github.com/QubesOS/qubes-issues

Very weird behavior when trying to call `qvm-features-request` with values that contain spaces

opened 03:59AM - 14 Feb 25 UTC

ArrayBolt3

P: default

### Qubes OS release Qubes OS 4.3 ### Brief summary `qvm-features-request` an…d `qubes-core-admin` exhibits very strange failure patterns if you call `qvm-features-request` from inside a template and try to set a key-value pair with a value that contains a space. In essence: * Setting a key-value pair to a value without a space works. * Setting a key-value pair to a value that contains a space fails. * If you try to set a key-value pair to a value that contains a space, subsequent attempts to set a key-value pair to a value without a space *may fail*. So far the behavior pattern seems to be reproducible, but somewhat unpredictable. ### Steps to reproduce 1. In dom0, kill the qubesd service with `sudo systemctl stop qubesd`. 2. In dom0, launch qubesd in a terminal with `sudo /usr/bin/qubesd -vv` for debugging. 3. Launch a template VM, it doesn't matter which one. I'm using `fedora-41-xfce`, but `debian-12-xfce` also works. 4. Run the following set of eight `qvm-features-request` commands, one at a time: Call 1: Run `qvm-features-request abc=def --commit`. Call 2: Run `qvm-features-request abc.def=def --commit`. Call 3: Run `qvm-features-request abc="def ghi" --commit`. Call 4: Run `qvm-features-request abc.def=def --commit`. Call 5: Run `qvm-features-request abc=def --commit`. Call 6: Run `qvm-features-request abc.def=def --commit`. Call 7: Run `qvm-features-request abc.def="def ghi" --commit`. Call 8: Run `qvm-features-request abc.def=def --commit`. ### Expected behavior All `qvm-features-request` calls should exit non-zero, regardless of whether they contain spaces or not. The calls should ultimately be no-ops since dom0 has no code to actually set the requested features. ### Actual behavior The following pattern is exhibited, with anomalies bolded: Call 1: Succeeds. Call 2: Succeeds. Call 3: Fails. Call 4: **Fails** (even though the value doesn't contain a space). Call 5: Succeeds. Call 6: **Succeeds** (apparently the previous success somehow got this case un-stuck?) Call 7: Fails. Call 8: **Succeeds** (maybe because we're dealing with the same key in both calls 7 and 8?) ### Additional information Every time a successful call is made, `qubesd` outputs a log message similar to `qubes.utils: Renamed file: '/var/lib/qubes/qubes.xml~XXXXXXX' -> '/var/lib/qubes/qubes.xml'` (where `XXXXXXX` are what appear to be random characters). Every time a failed call is made, `qubesd` outputs a log message like `app: permission denied for call b'qubes.FeaturesRequest'+b'' (b'fedora-41-xfce' -> b'dom0') with payload of 0 bytes`.

Patrick · February 14, 2025, 4:31pm

kloak-alike functionality might become available and enabled by default for Qubes-Whonix-Workstation users in Qubes R4.3.

Related ticket:

github.com/QubesOS/qubes-issues

Enable X11 event buffering in Whonix by default

opened 03:54AM - 13 Feb 25 UTC

ArrayBolt3

privacy C: Whonix P: default

### The problem you're addressing (if any) Now that https://github.com/QubesOS/…qubes-gui-daemon/pull/149 is merged, any VM in Qubes OS that supports a GUI daemon can have Kloak-like features (keyboard and mouse event delay) enabled on them. While most VMs probably would probably have their usability degraded if this feature was enabled on them by default, Whonix benefits greatly from having this feature because it directly helps it to accomplish its goal of providing additional anonymity to users. Right now a user has to explicitly set the `gui-ebuf-max-delay` feature to a non-zero value on a VM in order to enable event buffering. This is not something the average user should have to do, Whonix-Workstation should have this enabled by default. (Whonix-Gateway should potentially leave this disabled since the user won't be interacting with websites in Whonix-Gateway if used as designed.) ### The solution you'd like * Modify https://github.com/QubesOS/qubes-core-admin-addon-whonix/blob/main/qubeswhonix/__init__.py so that it responds to a feature request from a Whonix VM to set `gui-ebuf-max-delay`. Requests should only be honored if they fall between reasonable thresholds so that malware can't disable the delay entirely or set it to be so high as to render the VM unusable. * Add a script to Whonix's anon-ws-base-files package to request the feature and set it to a sensible value. This strategy will allow Whonix to adjust the delay in the future if it is desirable to do so. Alternatively, since the `gui-ebuf-max-delay` relies entirely on dom0 and doesn't require any domU-side code at all, we could just modify https://github.com/QubesOS/qubes-core-admin-addon-whonix/blob/main/qubeswhonix/__init__.py to set the feature all by itself one time, and that's it. This does mean that setting the delay is a "one shot" operation and if it turns out to be bad, another change to qubes-core-admin-addon-whonix will be needed. This would have the advantage of not allowing malware to even try to adjust the delay however. ### The value to a user and who that user might be Applications (especially websites) should have a harder time tracking the user via keyboard biometrics. (Mouse movements may also be obfuscated enough to make fingerprinting difficult through that method, though I'm not sure any concrete tests have been done on the mouse beyond "now it's laggy".) ### Completion criteria checklist _No response_

Patrick · March 24, 2025, 2:50pm

Related pull request:

github.com/QubesOS/qubes-core-admin-addon-whonix

Enable GUI event buffering for new Whonix-Workstation qubes

main ← ArrayBolt3:arraybolt3/event-buffering

opened 07:14PM - 23 Mar 25 UTC

ArrayBolt3

+3 -0

Pretty much as straightforward as it gets. Tested by installing in dom0 on Qubes… R4.3, then rebooting, then creating a new qube based on the whonix-workstation-17 template. `gui-events-max-delay` feature was set to `100` as expected and keyboard input into apps within the qube had noticeable jitter as desired. Fixes https://github.com/QubesOS/qubes-issues/issues/9771

Patrick · March 24, 2025, 2:51pm

Optional feature request:

unlikely
not crucial since this will be enabled by default in Qubes anyhow

github.com/QubesOS/qubes-issues

Allow end-users to customize GUI event buffering in Qube Manager

opened 07:21PM - 23 Mar 25 UTC

ArrayBolt3

C: manager/widget ux privacy P: default

[How to file a helpful issue](https://www.qubes-os.org/doc/issue-tracking/) ###… The problem you're addressing (if any) Event buffering is now a feature of the GUI daemon, which can be set by modifying the `gui-events-max-delay` feature for any qube that uses the GUI daemon. Currently this feature can only be used by advanced users who know where to find the documentation for the feature (a blurb in `/etc/qubes/guid.conf`, which isn't even used by the GUI daemon anymore) and who are willing to fiddle with the `qvm-features` command in a Dom0 terminal. Whonix-Workstation VMs will hopefully come with the feature set to a reasonable default value of 100 ms once https://github.com/QubesOS/qubes-core-admin-addon-whonix/pull/20 is merged, but just like kloak (the application that inspired the event buffering feature) is useful outside of Whonix, event buffering may be useful as well. Users need to be able to know the feature exists and how to configure it in order to use it. ### The solution you'd like We should provide some easy way to configure this setting, perhaps in Qube Manager. ### The value to a user and who that user might be Users can obfuscate keyboard rhythm biometrics from any VMs they want, regardless of OS, so long as they can interface with the GUI daemon. ### Completion criteria checklist (This section is for developer use only. Please do not modify it.)

(kloak is already default in non-Qubes for a long time.)

Patrick · March 25, 2025, 2:08pm

Patrick · April 6, 2025, 10:17am

Was merged.

The future of kloak-alike functionality in Qubes R4.3 and above is bright.

Patrick · April 19, 2025, 5:53pm

github.com/vmonaco/kloak

Status of Original kloak Repository and Whonix Fork

opened 05:51PM - 19 Apr 25 UTC

adrelanos

* time of writing: 20 April 2025 * [vmonaco/kloak](https://github.com/vmonaco/kl…oak) last git commit: Sep 25, 2023 * @vmonaco last comment in https://github.com/vmonaco/kloak/issues/10#issuecomment-2146658373: 4 June 2024 This GitHub repository can therefore probably be considered abandoned. @vmonaco's instrumental contributions have been highly valuable and appreciated. Let's hope he'll be back. We forked the repository and now maintain it under [https://github.com/Whonix/kloak Whonix/kloak].

Patrick · October 2, 2025, 1:41am

github.com/QubesOS/qubes-issues

Slight flicker when opening Qt application menus in qubes with gui-events-max-delay feature set

opened 10:08PM - 01 Oct 25 UTC

ArrayBolt3

C: gui-virtualization P: default needs diagnosis affects-4.3

[How to file a helpful issue](https://www.qubes-os.org/doc/issue-tracking/) ###… Qubes OS release R4.3 ### Brief summary When using Qt applications, qubes which have the `gui-events-max-delay` feature set to a non-zero value may exhibit flickering when opening a menu in an application's menubar. The flicker doesn't occur 100% of the time, and it isn't massive, but it's definitely there. For unknown reasons this flicker does *not* appear to occur in GTK applications like Thunar and xfce4-terminal, but does occur in multiple Qt applications (qterminal, pcmanfm-qt). ### Steps to reproduce * Launch xfce4-terminal in an `anon-whonix` AppVM (since it will have `gui-events-max-delay` set to `100` by default). * Install `qterminal`. * Run `qterminal`. * Click on one of the items in the application menu bar, such as "File". ### Expected behavior Menu should immediately appear and not flicker. ### Actual behavior Menu appears, then seems to very briefly vanish, then re-appear (flicker). ### Additional information So far I've reproduced this on Whonix-Workstation 18 and Debian 13. Setting `gui-events-max-delay` to 0 causes the flicker to stop.

Patrick · October 3, 2025, 9:27pm

github.com/QubesOS/qubes-issues

Improve mouse anonymization in GUI daemon

opened 04:23AM - 03 Oct 25 UTC

ArrayBolt3

P: default

[How to file a helpful issue](https://www.qubes-os.org/doc/issue-tracking/) ###… The problem you're addressing (if any) The current implementation of input anonymization in the Qubes GUI daemon does a decent job of obfuscating keystroke rhythms, but does a very bad job of obfuscating mouse movement patterns. Mouse movements flood the event queue, resulting in almost all events being delayed by the maximum allowable delay, and resulting in the exact path of the mouse being exposed to applications watching the mouse's movements. ### The solution you'd like Whonix 18 has implemented a much-improved algorithm for mouse obfuscation in kloak. The core algorithm is still used, but when a mouse movement event is received, the event at the tail end of the event queue is checked to see if it is a mouse movement event or not. If it is, the new event's mouse location information is simply merged into the old event without delaying the old event any further than it is already delayed. If the checked event is not a mouse movement event, then a new mouse movement event is queued just like any other event. The result is that a flood of mouse movement events accumulates into a single event until that event is either released, or some other event is received (a keystroke, button click, etc.). This obfuscates both the timing of mouse movements and the exact path of the mouse, while avoiding event reordering and preventing keystrokes and mouse clicks from being delivered to the wrong locations. If possible, the same algorithm used in Whonix 18's kloak should be implemented in Qubes' GUI daemon. The change in behavior will (or at least should) be almost entirely transparent to the user - we already don't show the user the VM's mouse cursor, so they won't notice that the cursor now moves in a choppy fashion. They may notice the difference when clicking and dragging items in some applications, but it should not pose any substantial usability impairment. ### The value to a user and who that user might be Better anonymity in Whonix-Workstation VMs and any other VM the user chooses to enable event buffering in. ### Completion criteria checklist (This section is for developer use only. Please do not modify it.)

Patrick · October 10, 2025, 9:38am

Could not be reproduced and original reporter disappeared.

Patrick · October 10, 2025, 9:39am

github.com/Whonix/kloak

Update spec file to latest version and update systemd service Documentation tag.

master ← siliconwaffle:master

opened 06:28PM - 30 Sep 25 UTC

siliconwaffle

+33 -23

This pull request changes... ## Changes - Update spec file to latest version… - Update systemd file documentation ## Mandatory Checklist - [ x ] Legal agreements accepted. By contributing to this organisation, you acknowledge you have read, understood, and agree to be bound by these these agreements: [Terms of Service](https://www.whonix.org/wiki/Terms_of_Service), [Privacy Policy](https://www.whonix.org/wiki/Privacy_Policy), [Cookie Policy](https://www.whonix.org/wiki/Cookie_Policy), [E-Sign Consent](https://www.whonix.org/wiki/E-Sign_Consent), [DMCA](https://www.whonix.org/wiki/DMCA), [Imprint](https://www.whonix.org/wiki/Imprint) ## Optional Checklist The following items are optional but might be requested in certain cases. - [ x ] I have tested it locally - [ x ] I have reviewed and updated any documentation if relevant - [ ] I am providing new code and test(s) for it Fixes #

Patrick · October 10, 2025, 9:55am

arraybolt3 · October 20, 2025, 3:37am

It does, though depending on the speed at which your pointing device sends scroll events it may or may not be useful. Scroll events are treated identically to key press/release events and mouse button clicks, in that they are scheduled for release at a semi-random future time on an event-by-event basis. If your pointing device generates only a few scroll events during normal use, and you aren’t scrolling at a breakneck speed, kloak should be able to be somewhat effective at masking the exact timing between scroll events, but if your device sends a flood of fine-grained scroll events (or you scroll at extreme speeds like some pointing devices are designed to allow), it will probably not be particularly effective in those instances.

It might be possible to combine scroll events in a similar way to how we combine mouse movement events in Whonix 18’s kloak (yet to be released), in order to circumvent the issues of event flooding. That could possibly provide anonymity benefits. More research will be needed to determine if this is possible and how useful it is.

arraybolt3 · October 20, 2025, 11:25pm

The research isn’t really theoretical half so much as it is practical - is it actually possible to meld together scroll events such that if you generate two events in quick succession, you can turn them into a single event that scrolls as much as both of the events combined? Furthermore, does that provide the ability to actually mask differences in both scrolling device users and the scrolling devices themselves, or is the behavior of users and devices distinct enough to show through the jitter insertion mechanism kloak uses at its core? Both of those are unanswered questions at the moment.

Kloak’s README.md has a good bit of info about how it works under the hood, but the tl;dr: is that all input devices generate a series of events that the kernel then sends to userspace through various mechanisms. Usually what happens is a display server (such as X11 or labwc) will read the input events, and translate those into what you perceive as characters being typed on the screen, scrolling, clicking, and pointer motion. Kloak works by inserting itself between the display server and the input events coming from the kernel, and then applies manipulations to those events to make it harder to profile the user causing the events to be generated.

The original implementation of kloak was rather simple - all it did was grab input events, and schedule them for release at a semi-random time in the future, ensuring that each event was scheduled to be released between the release time of the last queued event, and a certain maximum limit. This ensured that events were seen by userspace in the correct order, but without the timing between the events being visible. For keyboards this worked great, but for mice and touchpads it was a problem because pointing devices generate lots of input events to move the pointer. This would flood the queue, make kloak’s scheduling mechanism always schedule an event for release at the maximum future time (thus getting rid of jitter), and kloak was unable to hide the pointer’s path. To work around this, we recently rewrote kloak so that consecutive mouse movement events are merged together, thus allowing jitter to still be present and hiding the pointer’s path (though it will still always end up in the right location).

Now though we have the question of scrolling. There are actually multiple different kinds of scrolling events, because there are multiple kinds of scrolling devices - there are mice with mouse wheels that have distinct “clicks” in them (most cheap mice are in this category), there are mice with smooth, high-resolution scroll wheels, there are mice with high-resolution, weighted, magnet-assisted scroll wheels that allow the user to scroll extremely fast for prolonged periods of time, there are touchpads with two-finger scrolling, and there are some laptops with a trackpoint that allow you to hold a particular button and then push the trackpoint up or down to scroll. As such, some pointing devices send one scroll event every so often (similar to mouse clicks), some of them send a brief flood of events (similar to mouse movement), and some of them send a long flood of events. The current way of masking those events is pretty much the same thing we do with keyboard keys, so for pointing devices that send a flood of events, this probably doesn’t help much.

The question then is how to not only make all users of these devices look the same, but also make all the different devices themselves look the same? This is a hard problem to solve, because even if you merge together consecutive scroll events in order to allow jitter insertion and mask the true number of events, you still have the fact that some scroll events are going to show up in short bursts characteristic of “clicky” mouse wheels, some scroll events are going to show up in longer bursts characteristic of touchpad scrolling, and some scroll events are going to show up in very long bursts characteristic of someone using a high-end Logitech or similar device and trying to scroll at breakneck speeds.

Possibly. I wouldn’t expect mice to send multiple scroll events for a single “tick”, but certainly there are profile-able things here. On the bright side, there seems to be some merging of events already happening since kloak doesn’t use the high-resolution scroll event API, but for some devices (particularly touchpads and some mice) that probably isn’t enough.

HulaHoop · October 24, 2025, 5:43pm

Perhaps reaching out to Vinnie and asking for his input on these interesting research questions (when he has time) could guide the next stage of defenses?